Overview
To allow access control over specific Workspot resources (desktops, desktop pools, and RD pools), Control supports Protocol Policies, which duplicate the "Protocol Settings" block in a Workspot Security Policy.
Key Features:
Protocol policies enable and disable user I/O access between the Workspot Client and the Workspot desktop or app.
By "I/O access," we mean the ability to send data between the local device and the Workspot desktop/app via local printers, local disks, the clipboard, and so on. In addition, audio and Webcam redirection can be disabled.
These repeat the restrictions available under Security policies.
Protocol policies take precedence over the “Protocol Settings” in a Security policy.
Differences between Protocol policies and Security policies:
Protocol policies are applied to specific pools or individual desktops. Security policies are applied to groups of users.
Protocol policies are optional (pools and desktops don't need to have a Protocol policy). Security policies are mandatory (every user in every group has a Security policy).
Protocol policies are assigned in pairs: one when the Client is on the corporate network and one when the Client is not. A user only has one Security policy.
Best Practices
When you have desktops/apps that need different restrictions than would normally apply to their users, Protocol policies are ideal. That is:
When restrictions are based on the resource, not the user/group, use Protocol policies in addition to Security policies.
When restrictions are based on whether is on the Internet or the corporate network, use Protocol policies in addition to security policies.
Otherwise, use Security policies only.
If you rely on Protocol policies for a given pool, disable support for the Workspot Clients that don't support Protocol policies (currently Workspot Client for the Web and Workspot HTML5 Client).
Local vs. Remote Protocol Policies
Protocol policies are assigned in pairs: one for when the Workspot Client is on the corporate network and one for when it is connecting over the Internet. The Internet case is usually more restrictive.
This mechanism uses the Location Detector mechanism to distinguish between users on the company network and those outside it.
Creating a Protocol Policy
Protocol policies are listed on Control's "Policies" page with the rest of the policies. There is no default Protocol policy.
To create a Protocol policy:
1. In Control, click "Policies > Add a New Policy."
2. On the "Add a New Policy" page, assign a name to the policy and select "Protocol Policy" from the "Policy Type" Menu.

3. Fill in the "Protocol Settings" to suit your needs. These settings will be shown in the next section. You can change these settings later by editing the policy.
4. Select the pools and individual desktops you wish to use the policy initially. You can change these assignments later by editing the policy.
5. Click "Add Policy."
Protocol Settings
The protocol settings are shown below. These are the same as the “Protocol Settings” in a Security policy.

Apply To Pools/Desktops

The "Apply To" section lets you select desktops and pools to apply the policy to. Use the search box to find the desired resources and select them from the list of results.
Assigning a Protocol Policy to a Desktop Pool

You can also apply a Protocol policy to a desktop pool through the "Resources > poolname > Actions menu > Edit.”
There are two Protocol policy menus, one for “When Client is on Internet” and one for “When Client is on Company Network,” as determined by Location Detection. In the menus:
“— Select —” means “None.”
You can specify the same Protocol policy to both categories.
If the two are different, it is generally to add more restrictions to Internet-connected users than local ones.
Assigning a Protocol Policy to a Single Desktop

In Control, go to “Resources > poolname > desktopname.” In the “Protocol” section, click the “Assign” buttons to assign protocol policies to the individual desktop.
Viewing Pool Assignments
The Protocol policy, if any, is listed on each desktop pool's "Resources > VDI Pools > poolname" page. For RD pools, the page is "Resources > RD Pools > poolname."

Viewing Desktop Assignments
For persistent pools only, you can assign Protocol policies to individual VMs. To see these assignments, go to the "Resources > VDI Pools > poolname" page and click the "Details" tab. The "Protocol Policy" column shows the Protocol policy for the VM, if any:

